Customers of popular online shopping website Catch of the Day are being urged to change their passwords after the company disclosed on Friday it had suffered a data breach.

The breach, which compromised names, home addresses, email addresses, "hashed" (encrypted) passwords, and in some cases credit card data, occurred in early May 2011, Catch Group, which runs the site, said.

The company disclosed the breach in an email sent to users after 5pm on Friday – 38 months after the data was initially stolen.

Catch of the Day's email.

The breach was the result of an "illegal cyber intrusion" that targeted Catch of the Day and "other online retailers and businesses" in early 2011, it said in the email.

Advertisement

"We sincerely apologise to our loyal customers that these events occurred and can assure you that we have dedicated significant resources to security and privacy to avoid these events in future," the email said.

Catch Group said it immediately informed police, banks and credit card companies at the time of the breach.

OMG's message to users.

It said they assisted it "in taking action to protect our users". The assistance included banks cancelling customers' credit cards and police "launching investigations into the perpetrators".

Why the company decided to wait until now to report the breach to its customers has stumped IT security experts and users. In its email, Catch Group said "technological advances" meant there was an "increasing risk" that its users' hashed passwords "may become compromised", which was why it was asking all Catch of the Day users with accounts created before May 7, 2011, to change their passwords and credentials on its website and also on other sites that used the same details.

Calls to Catch Group director Gabby Leibovich went unanswered on Monday.

Federal privacy commissioner Timothy Pilgrim said in a statement that Catch Group reported the breach to his office in June.

"The [Office of the Australian Information Commissioner] was not informed about the incident at the time it occurred," the commissioner said. "The OAIC has asked Catch of the Day for further information about the incident."

"For the avoidance of doubt, we would like to assure all Kogan.com customers that we were not affected by the security breach impacting the daily deals website, and the first we heard of it was ... late on Friday," Kogan said in a statement on its Facebook page.

Chris Gatford, of security firm HackLabs, said the amount of time between the breach and notification to users was "unusual".

"As a customer of this site, you do have to wonder about what specifically went wrong and some more detail around that would've been more helpful," Mr Gatford said. "Nonetheless, at least they are advising their customers and that's certainly something that doesn't happen very frequently."

He said most breaches went unreported. Of about 100 cases he has reported to Australian companies in the five years HackLabs has existed, only about 5 per cent have been publicly disclosed.

When reporting an incident, Mr Gatford said he was often met with "defiance, anger and disbelief". It was only when talking to senior staff that companies would tend to take more notice.

Mr Gatford said a mandatory data breach notification scheme would be beneficial not just for consumers but also for business people, and he hoped it would make them start to think more seriously about security.

"The upside of [a mandatory data breach notification scheme] is an organisation does a better job [of securing its users' data]," he said.

In 2013–14, the federal privacy commissioner received 71 data breach notifications, a 16 per cent increase on the previous year. Despite the relatively small number, the privacy commisisoner warned that critical incidents may still be going unreported. "Consequently consumers may be unaware when their personal information could be compromised," he said.

Catch of the Day's disclosure of the breach came a day after search engine optimisation firm Online Marketing Group, owned by Fairfax Media, also reported a data breach.

In an email to its customers last Thursday, OMG said it had become aware that one of its servers had become compromised. The server contained personal information including customers' names, postal addresses, telephone numbers, email addresses and passwords.

"Our analysis suggests that while there was unauthorised use of the server, there is no evidence that your customer data has been copied or viewed. As a precautionary measure, we require all users (both active and non-active) to take immediate action," OMG managing director Simon Carson said. The action suggested by OMG was to change compromised passwords.

19 comments so far

As if it wasn't bad enough, several COTD customers who happened to use e-mail addresses specific to their COTD accounts reported receiving spam from 'mynetsale.com.au' in February 2012. Wasn't clear whether this was a result of unauthorised access or COTD intentionally sharing the addresses with a third party, but someone from COTD responded on the Whirlpool forum saying they'd investigate. There was apparently silence after that.

Frustrating how easy it is, even after such a clear indication customer data hadn't been kept private/secure, for an organisation to just keep quiet and let the matter breeze by.

Commenter

kit

Location

Sydney

Date and time

July 21, 2014, 2:45PM

Nothing on their website, very limited info on Social Media, not responding to media enquiries. Seems like they're trying to sweep this under the carpet.

I used my credit card on a friend's CotD account a few years ago, and have no idea if this credit card # was among those breached.

Commenter

AndrewJ

Date and time

July 21, 2014, 2:46PM

I occasionally (1-2 times/year) buy from Catch but I was not notified of the breach. They have my email address as they send me their daily deals. I hope they haven't stored my credit card details but it sounds like the "horse has well and truly bolted."

Commenter

grumpy

Location

westvic

Date and time

July 21, 2014, 2:54PM

It is clear from my experience and other comments in social media that people have had credit cards cancelled/reissued or blocked for web use by their banks without knowing why. Others would have chosen to have their cards cancelled had they known. People continued to use their password for 3 years, probably across multiple sites. This behaviour is reprehensible.

Commenter

Catie

Date and time

July 21, 2014, 3:47PM

It might be reprehensible but until the geeks come up with a foolproof way for people to create multiple passwords across multiple online purchasing sites while managing to keep them in their memory without writing them down that is always going to happen. Got any solutions to that @catie?

Commenter

Just sayin

Location

Sydney

Date and time

July 22, 2014, 12:15PM

I guess now I know why my credit card was cancelled and re-issued by the bank a couple of years ago.

Catch of the day have just lost themselves a customer.

When the class action is launched, sign me up.

Commenter

SG

Location

Melbourne

Date and time

July 21, 2014, 3:47PM

Never knew this site existed until today.

Commenter

Gerson

Location

Sydney

Date and time

July 21, 2014, 3:50PM

There is something called the PCI-DSS standard, which has had two major revisions.

If your online store does not utilize this standard (or utilize third party hosted credit card merchants) that uses this standard, don't shop with them.

While PCI-DSS is not fool proof, its design ensures that there is separation of IT system infrastructure and encryption of credit card data, which ensures that it is much harder to retrieve such data from hacking attempts.

Commenter

Phillip Parker

Location

Bittern

Date and time

July 21, 2014, 4:02PM

Small fry

Commenter

JR Brand

Date and time

July 21, 2014, 4:12PM

Very dodgy company. I've bought numerous products from them, but the moment you have a complain about a product, which I've had in the past, you get very little support from them. Have not bought from them since that lack of response. I'm not surprised by the deceit. 38mths, says it all really!!!